Security • Data Management & Collaboration • Hosted Communications • Mobility • Infrastructure • Business Productivity

(303) 790-4848 • (855) 884-PAX8 • info@pax8.com • pax8.com

a cloud commerce marketplace

copyright 2014: Pax8

THE CLOUD REVOLUTION:

Understanding and Controlling Security Risks in the Cloud

2 copyright 2014: Pax8

A rapidly growing number of businesses are now utilizing cloud-computing services to one extent or another. Given the conveniences and benefits inherent in cloud services, including the relatively low cost, this is hardly surprising. Yet, the cloud revolution is just beginning and the use of cloud services is expected to expand rapidly, In fact, projections are that the cloud computing market will exceed $240 billion in the next five years.

Despite the undeniable benefits brought about by the transition to new cloud technology, a serious concern arises as data and applications are increasingly controlled by outside service providers. Even as some security concerns are alleviated by the cloud, new security concerns emerge. What are the real threats in the cloud? What measures can be taken to protect data? Where is clear visibility and control lost?

The efficiency of the cloud is derived through virtualization and aggregation of storage, compute, and network capabilities into reusable resource pools that reside at data centers. Customers use only what they need, which saves on resources. This agility and greater utilization of resources gives rise to the lower costs. These services are offered in various stages of completeness, ranging from turnkey, single application services to broad customizability provided by individual selection of resources. Cloud computing is generally categorized into three service models depending on the completeness of the service:

Software as a Service (SaaS): This is a turnkey on-demand service that provides the both the hardware and software functionality to run a specific application, including maintenance and operations. Subscribers have little to no management capability or control over the underlying cloud infrastructure and applications, except for some preference settings. Security provisions for SaaS are primarily the responsibility of the cloud provider.

Platform as a Service (PaaS): This is a cloud computing platform provided as an on-demand service upon which the subscriber can deploy his own applications or create personalized applications using tools supported by the cloud provider. Control over environmental settings are restricted to the cloud provider, but the subscriber is able to fully manage the deployed applications. Responsibility for security provisions is divided between the cloud provider and the cloud subscriber.

Infrastructure as a Service (IaaS): Cloud subscribers can provision computing resources including storage, processing, and networks as an on-demand service, on which they can host any operating system and applications. These resources are obtained as virtualized objects and are controlled via a service interface. Security of the underlying basic cloud infrastructure is the

responsibility of the cloud provider, but the subscriber owns the responsibility for security at higher levels.

The scope and control of security between the cloud subscriber and the cloud provider for each of these service models is illustrated in the figure below [figure 1]. The arrows on the left illustrate the responsibility of the cloud provider, while the arrows on the right are indicative of the security responsibilities taken on by the cloud subscriber.

Cloud ProviderSa

aS

PaaS

IaaS

Cloud Subscriber

SaaS

PaaS

IaaS

Data

Application

Operating System

Virtualized Infrastructure

Compute & Storage Hardware

Shared Network

Virtual Machine

figure 1

The bottom three layers represent the physical elements of the cloud environment, which are under the control of the cloud provider regardless of the service model. The upper three layers are defined by virtual machine environment, and have a shared responsibility for security, depending on which type of service is chosen.

The cloud provider takes almost complete responsibility for security in the case of a SaaS offering, along with the rest of the operation. Besides some application personalization settings, such with whom a given file is shared, the cloud provider has no management control over the system. In the case of PaaS and Iaas, there is a shared responsibility that divides at the architecture layer or virtualization layer, respectively.

Therefore, the degree to which the subscriber and the cloud provider have security responsibility and the associated control depends on the type of cloud service that is purchased by the subscriber. While cloud providers are continually improving the security within their solutions to provide as good or better security than the on-premises equivalents, there are also some new security considerations that emerge from this new arrangement.

The efficiency of the cloud is derived through virtualization and aggregation of storage, compute, and network capabilities...

3copyright 2014: Pax8

Security Improvements through Cloud Service ProvidersCloud providers operate large systems which are run with sophisticated processes and expert staffing for maintaining their systems. This generally results in security advantages over systems run by small businesses, which are unlikely to have access to such a high level of expertise. Security enhancements include:

Staff Specialization: Large scale computing facilities staff specialize in security, privacy, and other key security categories. Such specialization allows the organization to focus on specific security issues, to gain in-depth experience, and to plan comprehensively for security breach events.

Data Centralization: Cloud providers house large quantities of data, and generally invest in sophisticated disk hardware, monitoring software, and security professionals to protect the data. This is particularly beneficial to small businesses, who rarely have such vast resources available.

Incident Response: Cloud providers generally have disciplined incident response protocols, dedicated forensic servers, and substantial log files, all of which tend to be an afterthought in the traditional on-premises environments. These tools and procedures substantially reduce attacks, and make it possible to come to resolution far quicker.

Automated Security Management: Large computing platforms are generally designed with great uniformity that enables improved centralized automation of security management activities. Such activities include configuration control, vulnerability testing, security audits, fault management, load balancing, security patching, and system maintenance. Many cloud providers meet standards of operational compliance and certification such as HIPPA, PCI, ISO 9000, and SAS 70.

System Availability: Redundancy and disaster recovery capabilities are built into cloud computing environments, and are greatly aided by the scalability inherent in such systems.

Backup and Recovery: Backup and recovery policies and procedures of cloud providers are likely to be superior to those that most individual organizations can afford. Copies of the system are generally kept in geographically diverse locations, and can be quickly rerouted and restored in the case of a failure.

Mobile Endpoints: Secure cloud clients are generally available to a wide variety of mobile devices, laptops, notebooks, netbooks, and tablets.

Emerging Security Risks through Cloud Computing Though there are substantial security benefits that can be gained by housing information assets in data centers, the subscriber must trust the cloud provider to do this job properly. There are many established business segments where most people trust businesses implicitly. We trust banks to manage our money. We trust insurance companies to pay claims. We trust airlines to provide a safe environment on their airplanes. Since cloud computing is still a relatively new industry, businesses want to understand more about which providers to trust with which functions. Concerns include:

Loss of Direct Control: The subscriber relinquishes direct control over many aspects of security. Many people feel more comfortable with risk when they have more control over the processes and equipment involved. Transfer of responsibility to the cloud provider and the corresponding loss of direct customer control over its data and applications necessitates a relatively high degree of trust, transparency and accountability of the cloud provider.

Intrusion Threats from the Internet: Intrusion threats, spam, and viruses are always a concern when a system or application is accessible over the Internet. Threat protection is an essential component in any security strategy, whether IT assets are in a traditional network environment or a cloud environment.

Composite Services: Cloud services themselves can operate on another cloud provider’s service. For example, a SaaS provider could build its services upon the services of a PaaS or IaaS cloud, raising a cascade of trust issues.

Inside Access: The cloud provider must establish sound security procedures to mitigate the risk of rogue employees, contractors, organizational affiliates, and other parties that have access to the organization’s networks.

System Complexity: Cloud computing environments are substantially more complex than traditional data centers. The quality of security depends not only on the individual components such as deployed applications, virtual machines, disk storage and management software, but must also encompass the interactions among them.

Physical Data Access: Cloud users are generally not aware of the exact location of the datacenter, and have no direct knowledge of how physical access mechanisms are controlled. Cloud providers must establish security around the physical machines at the data centers.

4 copyright 2014: Pax8

Data Distribution: Distributing copies of data across geographically separate data centers is effective for backup, but it also increases the number of points where a security breach can occur and increases the difficulty of tracking a security breach.

Shared Environment: Data in the cloud is typically stored on shared system environments where other customers are unknown. Cloud subscribers generally have little knowledge about the specific mechanisms in place to assure that data will remain vigorously segregated between customers at all times. Data is “logically separated” from the data of other customers through software. Could an attacker pose as a subscriber to exploit vulnerabilities from within the cloud environment?

Long-term Viability: Data must remain safe in changing business situations of the cloud provider such as mergers, acquisitions, or business failure.

Risk MitigationRisk mitigation strategies can be devised from an understanding of the risks that persist in the cloud computing environment. The risks that were identified above could be mitigated as follows:

Trust: It is important to vet your cloud provider and to develop the trust that this cloud provider has proper security procedures in place. Minimize and Guard Points of Entry: In most cases, not every instance needs to be exposed to the Internet. If there are 10 instances, for example, then there are 10 perimeters to worry about. Placing all the instances in a single virtual network to which access is gated by a server is a far more secure than launching individual machines.

Firewall: A cloud computing environment can be configured as a virtual private network that is gated by a virtual firewall, which can control which ports are open and generate logs of all traffic in and out of the network. Firewalls should be closed by default. Only ports that need to be open should be open, and only users with appropriate credentials should be allowed into your private network.

DMZ/Private Networks: In cases where public ports such as port 80 or 443 need to be open, perhaps in order to provide access to a web server, the network should be configured as a DMZ/private network. This type of network configuration consists of two networks with separate private and public components. The private component can only be accessed through a single access point, a proxy server. Even if the public network,

also referred to as the demilitarized zone or DMZ, is compromised, the private network remains safe.

Security Groups: Security groups are provided by most cloud providers. These are essentially simple firewall rules configured by a hypervisor that are assigned when an instance is originated.

Authentication: It is important to enforce password security rules to ensure that passwords are sufficient in length and complexity so that they are not easily cracked. It is also important that users protect their passwords. As an additional safety measure, two-factor authentication, such as the use of a security question, can be used. An even higher level of authentication security can be achieved by utilizing one of several cloud services that send approval request text messages or email messages as part of the login process. Monitoring the accounts that access your virtual network is another fundamental step in ensuring that unauthorized users do not have access to your systems.

Intrusion Threats from the Internet: Threats such as viruses and trojans are as much of a risk on cloud platforms as they are in traditional on-premises networks. Security software scans to identify security risks and patch updates of application software and OS software are a must.

Data Encryption: Data should be encrypted during transit and at rest. Often the security keys are kept by the cloud provider or a third-party provider. Some providers also make it possible for customers to keep their own security key. It is vital that if the customer holds the only security key, the customer does not lose the key. Without the key, the data cannot be decoded, rendering the data essentially lost.

VPC Made SimpleConstructing a Virtual Private Cloud, also referred to as a VPC, with the latest security and functionality features takes some specialized education. For this reason, Pax8 added a service to its portfolio that automatically constructs a VPC suitable for SMBs.

For the base cloud infrastructure, Pax8 presently uses Amazon Web Service (AWS). This provider is the leader in the industry, and its cloud service is certified by numerous standards including HIPPA, PCI, and ISO 9000, to name just a few. However, many other reputable cloud providers offer unique services. Pax8 is presently working with other providers to offer this service using their infrastructure as well.

5copyright 2014: Pax8

In addition to tight security, the Cloud Network design is optimized with rich feature sets specifically with SMB business applications in mind.

The basic VPC [figure 2] suite consists of three basic components: a server, desktop, and network disk. It is not necessary to purchase all the components of the VPC all at once. The system is based on a “modular design” approach. If a single component is purchased, say a single desktop, it is configured in the customer’s private cloud so that when additional components are purchased, they can be added to that private cloud.

Pax8 Cloud Network

Cloud Servers Cloud Desktops Cloud Drive

figure 2

If, for example, a server is subsequently ordered on the same account, that server automatically becomes the domain controller for that workstation. Software installed on that server can be run seamlessly from the desktop. If another desktop is purchased, that desktop is also added to the network with the same capability. If a network drive is subsequently ordered on that same account, that network drive is visible from all desktops and the server can be used to control access to it.

Each VPC includes the security measures discussed above. The VPC is isolated from external threats with its own isolated subnet, an Enterprise grade firewall, OS-level firewall for more granular access control, encrypted RDP connections to servers and desktops, and fully encrypted network drives. The

security key is held by Pax8 for the customer’s convenience, but optionally the customer can also set its own encryption and is able to keep the only key.

The customer can also include a VPN, a secure method of connecting a local area network (LAN) to the VPC through the local router. The VPN utilizes a secure tunnel protocol, creating a secure network that combines the devices on both network into one.

Private- Public DMZ NetworksAs described above, when running a device that allows anonymous users to enter the network, it is advisable to separate the network into a public-facing network sometimes called “DMZ network” or “perimeter network,” and a secure private trusted network sometimes called the “internal network” or “screened subnet.”

The basic structure of this type of network is illustrated in figure 3. The DMZ network is connected to the Internet through a firewall, which has all necessary ports for the public applications open. For example, the DMZ might run a web server for which port 80 and 443 are open. Requests made to a machine on the internal network are routed through a proxy server, which contains rules for allowing access. The internal network is isolated, and contains only instances that are not addressable from the outside. The proxy server acts as an intermediary for requests from clients seeking resources from the server inside the internal network.

This configuration requires two independent networks and a server to regulate the traffic between those two networks. Computers that communicate directly with the Internet are placed in the DMZ instead of the internal network. The DMZ is still protected by a firewall, but because certain public traffic is permitted into the DMZ, it is not as secure as the internal network. The good news is that even if the DMZ is compromised, it does not breach the security of the internal network because the networks are completely separate.

figure 3

Internal NetworkDMZ

Internet

Proxy Server

Pax8 Cloud Network

Cloud Servers Cloud Desktops Cloud Drive

Pax8 Cloud Network

Cloud Servers Cloud Desktops Cloud Drive

6 copyright 2014: Pax8

About Pax8Pax8 is a cloud commerce marketplace, delivering strategic integrated cloud services to businesses through its global network of channel partners.

Pax8 is leading the transformation of its partners’ businesses to become cloud centric by efficiently delivering aggregated cloud solutions through its proprietary cloud marketplace technology platform, and accelerating existing client adoption and new client growth through its proven, collaborative customer acquisition programs.

Cloud Revolution: Understanding and Controlling Security Risks in the Cloud v031914

Security • Data Management & Collaboration • Hosted Communications • Mobility • Infrastructure • Business Productivity

(303) 790-4848 • (855) 884-PAX8 • info@pax8.com • pax8.com